Remediating Unused IAM Users
This tutorial walks through identifying and deleting an IAM user that has been inactive for 90+ days.
Overview
Unused IAM users represent a security risk — dormant credentials can be compromised without anyone noticing. Regularly auditing and removing inactive users reduces your attack surface and improves overall security posture.
Prerequisites
- AWS Console access with IAM permissions
- Target user:
remediation-iam-users-unused-user
Step 1: Navigate to IAM Users Console
Navigate to the IAM Users console in the AWS Management Console.
Step 2: Find the Unused User
Search for remediation-iam-users-unused-user in the search/filter field and click the username to open the user details page.
Step 3: Review User Activity
Review the user's activity summary. Check Last console sign-in and Last activity to confirm the user has been inactive for 90+ days. This validates that the user is safe to remove.
Step 4: Check Access Keys
Click the Security credentials tab to review the user's access keys.
Check the Access keys section. Verify that any access keys are either not present or show a "Last used" date older than 90 days. If active access keys exist, they should be deactivated before deleting the user to avoid breaking any undiscovered integrations.
Step 5: Review Permissions
Click the Permissions tab. If the user has any attached policies or group memberships, these will be automatically removed when the user is deleted. Note any policies for your records if needed.
Step 6: Delete the User
Click Delete to begin the user deletion process.
Step 7: Confirm Deletion
In the confirmation dialog, type the username remediation-iam-users-unused-user in the input field and click Delete user. This action is irreversible.
Step 8: Verify Deletion
Verify the success message confirms the user has been deleted. The user will no longer appear in the IAM users list.
Alternative Approaches
AWS CLI
Delete a user using the AWS CLI (after removing attached resources):
# Remove access keys
aws iam list-access-keys --user-name remediation-iam-users-unused-user \
--query 'AccessKeyMetadata[*].AccessKeyId' --output text | \
xargs -I {} aws iam delete-access-key --user-name remediation-iam-users-unused-user --access-key-id {}
# Remove inline policies
aws iam list-user-policies --user-name remediation-iam-users-unused-user \
--query 'PolicyNames' --output text | \
xargs -I {} aws iam delete-user-policy --user-name remediation-iam-users-unused-user --policy-name {}
# Detach managed policies
aws iam list-attached-user-policies --user-name remediation-iam-users-unused-user \
--query 'AttachedPolicies[*].PolicyArn' --output text | \
xargs -I {} aws iam detach-user-policy --user-name remediation-iam-users-unused-user --policy-arn {}
# Remove from groups
aws iam list-groups-for-user --user-name remediation-iam-users-unused-user \
--query 'Groups[*].GroupName' --output text | \
xargs -I {} aws iam remove-user-from-group --user-name remediation-iam-users-unused-user --group-name {}
# Delete the user
aws iam delete-user --user-name remediation-iam-users-unused-user
Staged Approach
Instead of immediate deletion, consider a staged approach:
- Deactivate access keys and remove console access first
- Wait 2 weeks for anyone to report issues
- If no one reports problems, proceed with full deletion
Cost Impact
No direct cost savings — IAM users are free. However, removing unused IAM users reduces your attack surface and improves security posture by eliminating dormant credentials that could be compromised.
Summary
Successfully deleted the unused IAM user by:
- Confirming inactivity for 90+ days via the user activity summary
- Verifying access keys are inactive or absent
- Reviewing attached permissions for documentation
- Deleting the user through the AWS Console with confirmation
- Validating the user was removed from the IAM users list
Always verify user activity and access key usage before deletion to avoid disrupting active services.